THE GDPR Nearly Three Years On, 5 Things You Need to Know
The General Data Protection Regulation (GDPR) came into effect on 25th May 2018. Although pertinent to the Personally Identifiable Information (PII) of citizens within the European Economic Area, its effect has reached around the world.
As many organisations grappled with updating their data security practices in line with tighter legislation, several questions remained unanswered. Does the GDPR have teeth? Will public bodies issue the hefty fines they were now able to? Well, the data is now in and we can look back on almost three years of the effects the GDPR has had on data privacy.
- £245.3 million in fines so far and rising.
According to DLA Piper, as of January 2021 £245.3 million worth of fines have been imposed throughout Europe, and a total of 160,921 personal data breaches have been recorded. At first glance, it appears the fines issued are not as eye-watering as the GDPR allows for (up to €20/£17m or 4% global turnover.) It is important to remember however that there are two tiers of fines based on the type and severity of the infringement, and that Europe-wide it was made clear that only the most severe data breaches would be subject to the greatest fines, and this seems to be the case. The five largest fines under the GDPR totals €155.45m, so over half of the fines issued have been over those five GDPR breaches (Google, H&M, TIM Telecom, British Airways and Marriott Group).
- It’s not all about data breaches.
Of the top five highest fines under the GDPR, only two have been for breaches of personal data. The other three are for other reasons. The common denominator however is that it has been poor practice that has landed these organisations with large fines. What this highlights is the importance the regulators have placed on culture and processes of data protection overall and not just focus on mitigating a data breach.
- The regulators haven’t had it all their own way.
For those who followed the development of the British Airways data breach, you will recall that the ICO issued a notice to fine the airline £183m. After appeal and taking the impact of the pandemic into account, this was reduced to £20m. A similar pattern was seen with the Marriott group data breach, with the ICO initially intending to fine £100m but being reduced to £18.4m for the same reason as British Airways. When it comes to the larger fines, it appears that the regulators are still testing their powers to issue them. Both British Airways and Marriott Group have faced financial hardship because of the pandemic, but this is not the case for all organisations.
- Businesses have not had it all their way either.
Type ‘British Airways Data Breach’ into any search engine and you’ll notice legal firms and class action suits against British Airways following the breach. Over 16,000 people have registered with one law firm. Based on similar lawsuits, it’s estimated that this alone could cost BA an additional £800m in compensation. There are also group actions planned for Marriott, and following the €100m fine from French regulator CNIL for Google, group actions are also planned. The GDPR allows for private right of action for violations of the law, both for material and non-material damage. On top of regulators now being able to issue higher fines, consumers can now claim compensation too.
- The GDPR has teeth, and it’s biting.
This is most evident through the numbers and value of the fines being issued to organisations. Having said that, the regulators appear to be sticking to the narrative that only the most severe breaches will receive the largest fines. Regulators are taking external factors into account and adjusting accordingly, namely the pandemic, but only where applicable. What organisations cannot rely on are affected individuals being as forgiving. With group actions and the GDPR allowing individuals to make claims for their data being breached, there is a very real possibility that these will hit organisations harder than regulatory fines.
In 2021 and with the end of the pandemic on the horizon, now is the time for organisations to learn the lessons from others who have fallen foul of the GDPR to date. Focusing on data protection practices and making compliance a habit goes a long way in avoiding the full ramifications of a data breach.